Use advisory related aliases to compare conflicting advisories

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/migrations/0093_advisorytodo.py

@@ -1,4 +1,4 @@
-# Generated by Django 4.2.20 on 2025-06-03 17:36
+# Generated by Django 4.2.20 on 2025-06-03 18:13
 
 from django.db import migrations, models
 
@@ -59,7 +59,10 @@ class Migration(migrations.Migration):
                         max_length=50,
                     ),
                 ),
-                ("issue_detail", models.TextField(help_text="Additional details about the issue.")),
+                (
+                    "issue_detail",
+                    models.TextField(blank=True, help_text="Additional details about the issue."),
+                ),
                 (
                     "created_at",
                     models.DateTimeField(
@@ -76,12 +79,16 @@ class Migration(migrations.Migration):
                 (
                     "resolved_at",
                     models.DateTimeField(
-                        help_text="Timestamp indicating when this TODO was resolved."
+                        blank=True,
+                        help_text="Timestamp indicating when this TODO was resolved.",
+                        null=True,
                     ),
                 ),
                 (
                     "resolution_detail",
-                    models.TextField(help_text="Additional detail on how this TODO was resolved."),
+                    models.TextField(
+                        blank=True, help_text="Additional detail on how this TODO was resolved."
+                    ),
                 ),
                 (
                     "advisories",

vulnerabilities/models.py

@@ -2301,6 +2301,7 @@ class AdvisoryToDo(models.Model):
     )
 
     issue_detail = models.TextField(
+        blank=True,
         help_text="Additional details about the issue.",
     )
 
@@ -2322,12 +2323,19 @@ class AdvisoryToDo(models.Model):
     )
 
     resolved_at = models.DateTimeField(
+        null=True,
+        blank=True,
         help_text="Timestamp indicating when this TODO was resolved.",
     )
 
     resolution_detail = models.TextField(
+        blank=True,
         help_text="Additional detail on how this TODO was resolved.",
     )
 
     class Meta:
         unique_together = ("related_advisories_id", "issue_type")
+
+    def save(self, *args, **kwargs):
+        self.full_clean()
+        return super().save(*args, **kwargs)

vulnerabilities/pipelines/compute_advisory_todo.py

@@ -31,7 +31,7 @@ def steps(cls):
         )
 
     def compute_individual_advisory_todo(self):
-        advisories = Advisory.objects.all().paginated()
+        advisories = Advisory.objects.all().iterator(chunk_size=2000)
         advisories_count = Advisory.objects.all().count()
 
         self.log(
@@ -62,10 +62,14 @@ def detect_conflicting_advisories(self):
 
         self.log(f"Cross validating advisory affected and fixed package for {aliases_count} CVEs")
 
-        progress = LoopProgress(total_iterations=aliases_count, logger=self.log)
-        for alias in progress.iter(aliases.paginated()):
+        progress = LoopProgress(
+            total_iterations=aliases_count,
+            logger=self.log,
+            progress_step=1,
+        )
+        for alias in progress.iter(aliases.iterator(chunk_size=2000)):
             advisories = (
-                Advisory.objects.filter(aliases__contains=alias.alias)
+                Advisory.objects.filter(aliases__in=aliases)
                 .exclude(advisory_todos__issue_type="MISSING_AFFECTED_AND_FIXED_BY_PACKAGES")
                 .distinct()
             )
@@ -87,9 +91,8 @@ def detect_conflicting_advisories(self):
 def check_missing_summary(advisory, todo_id, logger=None):
     if not advisory.summary:
         todo, created = AdvisoryToDo.objects.get_or_create(
-            unique_todo_id=todo_id,
+            related_advisories_id=todo_id,
             issue_type="MISSING_SUMMARY",
-            issue_detail="",
         )
         if created:
             todo.advisories.add(advisory)
@@ -107,6 +110,9 @@ def check_missing_affected_and_fixed_by_packages(advisory, todo_id, logger=None)
     has_affected_package = False
     has_fixed_package = False
     for affected in advisory.to_advisory_data().affected_packages or []:
+        if not affected:
+            continue
+
         if has_affected_package and has_fixed_package:
             break
         if not has_affected_package and affected.affected_version_range:
@@ -121,12 +127,11 @@ def check_missing_affected_and_fixed_by_packages(advisory, todo_id, logger=None)
         issue_type = "MISSING_AFFECTED_AND_FIXED_BY_PACKAGES"
     elif not has_affected_package:
         issue_type = "MISSING_AFFECTED_PACKAGE"
-    elif has_fixed_package:
+    elif not has_fixed_package:
         issue_type = "MISSING_FIXED_BY_PACKAGE"
     todo, created = AdvisoryToDo.objects.get_or_create(
-        unique_todo_id=todo_id,
+        related_advisories_id=todo_id,
         issue_type=issue_type,
-        issue_detail="",
     )
     if created:
         todo.advisories.add(advisory)
@@ -246,9 +251,11 @@ def check_conflicting_affected_and_fixed_by_packages(
 
     todo_id = advisories_checksum(advisories)
     todo, created = AdvisoryToDo.objects.get_or_create(
-        unique_todo_id=todo_id,
+        related_advisories_id=todo_id,
         issue_type=issue_type,
-        issue_detail="\n".join(messages),
+        defaults={
+            "issue_details": "\n".join(messages),
+        },
     )
     if created:
         todo.advisories.add(*advisories)